$OpenBSD: patch-kdm_backend_ctrl_c,v 1.1 2010/05/13 07:01:00 ajacoutot Exp $

CVE-2010-0436, see:
    http://www.kde.org/info/security/advisory-20100413-1.txt

--- kdm/backend/ctrl.c.orig	Mon Jan 15 12:32:23 2007
+++ kdm/backend/ctrl.c	Thu May 13 08:57:25 2010
@@ -140,22 +140,24 @@ openCtrl( struct display *d )
 				if (strlen( cr->path ) >= sizeof(sa.sun_path))
 					LogError( "path %\"s too long; no control sockets will be available\n",
 					          cr->path );
-				else if (mkdir( sockdir, 0755 ) && errno != EEXIST)
+				else if (mkdir( sockdir, 0700 ) && errno != EEXIST)
 					LogError( "mkdir %\"s failed; no control sockets will be available\n",
 					          sockdir );
+				else if (unlink( cr->path ) && errno != ENOENT)
+					LogError( "unlink %\"s failed: %m; control socket will not be available\n",
+					          cr->path );
 				else {
-					if (!d)
-						chown( sockdir, -1, fifoGroup );
-					chmod( sockdir, 0750 );
 					if ((cr->fd = socket( PF_UNIX, SOCK_STREAM, 0 )) < 0)
 						LogError( "Cannot create control socket\n" );
 					else {
-						unlink( cr->path );
 						sa.sun_family = AF_UNIX;
 						strcpy( sa.sun_path, cr->path );
 						if (!bind( cr->fd, (struct sockaddr *)&sa, sizeof(sa) )) {
 							if (!listen( cr->fd, 5 )) {
-								chmod( cr->path, 0666 );
+								chmod( cr->path, 0660 );
+								if (!d)
+								   chown( cr->path, -1, fifoGroup );
+								chmod( sockdir, 0755 );
 								RegisterCloseOnFork( cr->fd );
 								RegisterInput( cr->fd );
 								free( sockdir );
@@ -218,12 +220,8 @@ chownCtrl( CtrlRec *cr, int uid )
 {
 	if (cr->fpath)
 		chown( cr->fpath, uid, -1 );
-	if (cr->path) {
-		char *ptr = strrchr( cr->path, '/' );
-		*ptr = 0;
+	if (cr->path)
 		chown( cr->path, uid, -1 );
-		*ptr = '/';
-	}
 }
 
 void
